The present invention relates to a method of enabling a server to authorize access to a service on the basis of portable devices having electronic microcircuits, e.g. devices of the smart card type.
In the nineteen-seventies, the advent of the concept of a card having electronic microcircuits, now commonly referred to as a xe2x80x9csmart cardxe2x80x9d or a xe2x80x9cchip cardxe2x80x9d, and incorporating in particular a microprocessor and a non-volatile memory of the EEPROM type, opened up numerous applications, in particular for use by the general public, with the appearance of card-operated public telephones, and then banking terminals taking advantage of the facilities offered by the microprocessors incorporated in such cards.
In general, such a card can be used as a mere access key for obtaining access to a service, whether such access be customized or otherwise, and whether it be secure or otherwise, and/or as a means for validating information transfer, e.g. between two cards, between a card and a terminal, or between two terminals, whether such information is confidential or otherwise, and whether the transfer takes place remotely or otherwise.
In most of the intended applications, access to a service or the transfer of information is preceded by executing an identification protocol of the one-way type or of the both-way type, which protocol takes into account at least one item of specific information that is prerecorded in the memory of the card.
The specific information taken into account in an identification protocol may be a confidential code or xe2x80x9cPINxe2x80x9d code which is allocated to the bearer of the card and which enables the microprocessor of the card to authenticate said bearer before authorizing the bearer to access the requested service, as in the case of a banking transaction, for example.
The specific information taken into account in an identification protocol may also be a code specific to the service requested by the bearer of the card.
In which case, the code contained in the card is transmitted remotely or otherwise to a server for identification purposes. The identification protocol is either one-way, in which case the server authorizes access to the requested service merely on the basis of recognizing the code transmitted by the card, or both-way, in which case the server authorizes access to the requested service after various codes have been interchanged, which codes are computed separately in the card and in the server, such codes taking into account a secret key and/or random numbers, for example.
The codes computed separately in the card and in the server may be cryptograms, but each cryptogram transmitted by the card to the server must be accompanied by synchronization information to enable the server to authenticate the cryptogram transmitted by the card. The synchronization information may be a time stamp, but that requires either the contents of a counter, or a time base in the card, which time base must be synchronized with the time base of the server. Such solutions are described in particular in Documents U.S. Pat. No. 4,601,011 and EP-A-0 451 056.
Such solutions suffer, in particular, from the drawback of being complex and difficult to implement.
An object of the invention is to design an identification protocol that is simple and easy to implement, while guaranteeing a degree of security that is high enough to protect it from fraudulent users or xe2x80x9cattackersxe2x80x9d.
To this end, the invention provides a method of enabling a server to authorize access to a service from portable devices having electronic microcircuits, e.g., devices of the smart card type, said method being characterized in that it consists of initializing each portable device and the server, and, when a user requests access from a portable device, the method consists, in a synchronization first step, of:
causing the portable device to transmit at least a first identity sequence containing at least an identity number Nc allocated to the portable device and a cryptogram Ci computed by processing circuits of the portable device, this cryptogram Ci being the result of an iterative algorithm A2 being executed that is based on a non-invertible secret-key function F2, and being such that its value is computed at least on the basis of the value of the preceding cryptogram Cixe2x88x921;
transmitting the first identity sequence to the server via a terminal;
causing processing circuits of the server to use the same iterative algorithm A2 as the algorithm used by the portable devices to compute successive cryptograms Q1, Q2, . . . on the basis of a cryptogram Q0 stored in the server and whose value is equal to the value of the cryptogram Cixe2x88x92n which was contained in the most recent identity sequence transmitted by the portable device to the server, until a cryptogram Qn is found whose value is equal to the value of the cryptogram Ci contained in the first identity sequence; and
giving a new value to the cryptogram Q0 stored in the server, which new value is equal to the value of the cryptogram Ci;
and in that the method consists, in an authentication second step, of causing the access request to be validated by the server only if at least the synchronization first step has been satisfied.
To reinforce the security of the identification protocol, and according to another characterisic of the invention, in the authentication second step and once the synchronization step has been satisfied, the method consists of:
causing the portable device to transmit a second identity sequence containing at least the identity number Nc allocated to the portable device and the cryptogram Ci+1 computed by the portable device on the basis of the cryptogram Ci contained in the first identity sequence and stored in the portable device;
transmitting the second identity sequence to the server via the terminal;
causing the server to execute the algorithm A2 so as to compute the cryptogram Q1 on the basis of the value of the cryptogram Q0 stored in the server;
causing the access request to be validated by the server only if the values of the two cryptograms Ci+1 and Q1 are equal; and
giving a new value to the cryptogram Q0 stored in the server, which new value is equal to the value of the cryptogram Ci+1.
The fact that two identity sequences must be transmitted successively by the portable device before the server authorizes access makes it possible to reinforce its security against attackers.
In general, during the synchronization step and during the authentication step, the methods also consists of:
causing each portable device to compute and store a new cryptogram Ci+1 when it transmits an identity sequence containing the previously computed cryptogram Ci; and
causing the algorithms A2 for computing the cryptograms of the portable devices and of the server to take into account confidential data Gc allocated to the portable device by an authorized person.
Thus, on each request for access to the server from a portable device, the server manages an identification protocol which comprises a synchronization step and an authentication step.
The identification protocol can run only if each portable device and the server have been initialized, i.e. only if they contain the information necessary to be able to execute the identification protocol.
In general, initializing each portable device consists of storing at least the following items of information in a non-volatile memory of the EEPROM type in the portable device:
an identity number Nc allocated to the portable device;
confidential data Gc allocated to the portable device; and
the value of an initial cryptogram C0 to enable the portable device to be able then to compute the successive cryptograms C1, C2, . . .
During initialization of the portable device, the method may consist of diversifying or varying the confidential data Gc allocated to each portable device on the basis of base data, and on the basis of an algorithm A1 corresponding to a function F1 having a secret key Ks, the base data being, for example, the identity number Nc allocated to each portable device.
The portable devices are initialized by an authorized person prior to being delivered to users. As a function of the intended applications, it is naturally possible to store other information in each portable device, but the information concerning the identity number Nc, the confidential data Gc, and the value of the initial cryptogram C0 are necessary to implement the identification protocol in a preferred implementation, regardless of the intended application.
In general, initializing the server consists of causing the server to store the specific data allocated to each portable device so as to be able to implement the synchronization step and the authentication step resulting in or preventing access to the service requested by the user. In practice, the following are stored in a file of the server and for each portable device: the identity number Nc; the confidential data Gc or the secret key Ks enabling the server to compute said confidential data each time the portable device is used; and a cryptogram Q0 whose value is equal to the value of the initial cryptogram C0 so as to be able to compute the successive cryptograms Q1, Q2, . . . on the same basis as the basis used by the portable devices for computing the successive cryptograms C1, C2, . . .
Initialization of the server is also performed by an authorized person who is not necessarily the same person as the person who initializes the portable devices. Depending on the intended applications, initialization of the server is either performed entirely prior to delivering the portable devices to users, or else it is completed the first time access to the server is requested, with users already being in possession of the portable devices.
These initialization operations for initializing the portable devices and the server are explained in detail below in examples of applications of the method.
An important advantage of the invention is that the method can be implemented in numerous and varied applications including home banking, remote payment of tolls, and motor vehicle alarms, where access to a service from a portable device is authorized or not authorized as a function of the result of execution of an identification protocol under the control of a server which manages the requested service and which is connected to a terminal that provides the interface between the portable device and the server.
Another advantage of the invention is that the method can be implemented by simple means, in particular as regards the portable devices which substantially reproduce the known characteristics of smart cards, and in particular of cards equipped with voice or radio-frequency output interfaces for transmitting the identity sequences to the server.
Other characteristics, advantages, and details of the invention are explained below with reference to the three above-mentioned applications to emphasize the diversity of the applications for which the invention may be advantageous.